General
-
Target
jhn1u7ntf6 (infected).zip
-
Size
88KB
-
Sample
250101-dzrseasrdz
-
MD5
e2481c9a4bab9de047ee78cd73c5a515
-
SHA1
2a93f1a67f79c7d39a7dbdf30d6c50470222201d
-
SHA256
fde03fad4f43274464e140fda3ee3661d2470a88786ba0bf7a2a606f39258a5b
-
SHA512
a3ae3ec6c284704626db69615c3ba7666a9232ed007f63dbfa9837b60326668fe46169482c2c368651b0d7829b00d36e775958842024f9994a21204749b9db7c
-
SSDEEP
1536:o//RaU8WO0As1X6oUdVsH83i2dGjES4B2Cls3829Ora/qKxTSUJiEf++TouR+LI:U5ab7QZUd+H83i0Xf529ia19SLcTHcc
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1323224754576166912/ngAQr5IRg8PVqlg_GePwPe46g-WcVmFR7-gQu1RH44lVF1JX9hv6jSy8rNgxBAU6LxYx
Targets
-
-
Target
jhn1u7ntf6.exe
-
Size
229KB
-
MD5
b56af795f8b7edc6f35a9e905921ed0e
-
SHA1
c82cb0088bc9c93fd9a491ad278f410d44265a4d
-
SHA256
46a67cdc899f61ccb6324d187d56b389f720d72beb02594fd60fdc4a8ca62ab4
-
SHA512
c35b429e243845337903fa5cc6853c6921514b2fcd84e7788607aa47414be9b2101c8b87acd1766666daa7fc0cdd2b7a5be19ac5754db8f12c3e262ea792f9c6
-
SSDEEP
6144:dloZM+rIkd8g+EtXHkv/iD4M7+QWRJ6RvSgR1E9/gF8e1mfIi:/oZtL+EP8M7+QWRJ6RvSgR1Ecqx
Score10/10-
Detect Umbral payload
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1